• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

PCI Compliance: jsw.js

U

ukOliverS

New Pleskian
Hey,

On performing a PCI compliance scan from SecurityMetrics against a fully patched Plesk server (11.5):

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20130821T010234">
<patch version="13" timestamp="" installed-at="20130824T112258" />
</product>
</patches>
Click to expand...

The following issue is highlighted:

Description: CGI Generic Command Execution (time-based)
Synopsis: It may be possible to run arbitrary code on the remote web server.

Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Note that this script uses a time-based detection method which is less reliable than the basic method.



Data Received: Using the GET HTTP method, SecurityMetrics found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The '1376892702' parameter of the /javascript/jsw.js CGI : /javascript/jsw.js?
1376892702=%7C%7C%20sleep%2021%20%26
-------- output -------- // Copyright 1999-2012. Parallels IP Holdings GmbH. All Rights Reserved. /*
JavaScript Widgets */
Jsw = {
version: '1.0', baseUrl: '',
_registredComponents: null, _initOnReady: false, [...] ------------------------
Click to expand...

SM are happy to mark it as a false positive but first need to clarify exactly what this file does. Suspect this is a false positive but would appreciate some input from Parallels.
 
Judging by the source (available at /usr/local/psa/admin/htdocs/javascript/jsw.js) it's just a JavaScript library. Since it is served as static content, it couldn't be affected by any GET parameters, IMO. Therefore this time-based check should be a false positive. You should probably wait for the official comment though.
 
1376892702 is a timestamp. It's needed to control browser cache and nothing more. If jsw.js changed on the server (new version of Plesk was installed) new timestamp will be generated, that will force the browser to repeat request for jsw.js instead of using file retrieved earlier. File jsw.js is a static JavaScript file and its content could not be affected anyhow by GET parameters.
 
You must log in or register to reply here.

Similar threads

danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
raytracy
Resolved Backup job cannot find domain?
Replies
2
Views
1K
raytracy
raytracy
J
Vulnerability in ProFTP 1.3.3d (PCI Compliance)
Replies
4
Views
2K
JohnToTheK
J
D
Help with PCI compliance | SMTP SSL | Courier IMAP | Port 3306
Replies
2
Views
4K
Deoxymono
D
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
Back
Top